Зарубежные нормативные документы и критерии на английском / THE CHI WA SEC POL
.pdfTheorem 1:
Once a subject has accessed an object the only other objects accessible by that subject lie within the same company dataset or within a different conflict of interest class.
Proof:
If this proposition is untrue then it is possible for some subject su to have access to two objects, oa and ob, which belong to the same conflict of interest class but different company datasets, i.e.
N(u, a) = true and N(u, b) = true and xa = xb and ya <> yb
Let us assume without loss of generality that access to oa was granted first. was granted N(u, a) was already true and thus by A2 (xa <> xb) or (ya = yb). oa and ob to exist:
(xa <> xb or ya = yb) and (xa = xb and ya <> yb)
Then, when access to ob Then for our two objects
(xa <> xb and xa = xb and ya <> yb) or (ya = yb and xa = xb and ya <> yb)
which is always false.
Theorem 2:
A subject can at most have access to one company dataset in each conflict of interest class.
Proof:
A subject need not have access to any dataset since by A3, N is initially everywhere false. Suppose su then requests access to op. This request succeeds by A4 and our subject has access to one object within one company dataset.
By T1 the only objects then accessible to su lie within the same company dataset or within a different conflict of interest class, xq <> xp. Hence at most only one company dataset within any particular conflict of interest class is accessible to a single subject.
Theorem 3:
If for some conflict of interest class X there are XY company datasets then the minimum number of subjects which will allow every object to be accessed by at least one subject is XY.
Proof:
Suppose there are N subjects and for some conflict of interest class, X, there are XY company datasets. Let all of these subjects have access to the same company dataset, i.e. N subjects have access to company dataset (X, 1); and, by T2, no subject has access to company datasets (X, 2)...(X, XY).
We can access one of these, say (X, 2), by reallocating one of the subjects with access to (X, 1) to (X, 2), i.e. N - 1 subjects with access to (X, 1), one with access to (X, 2) and XY - 2 inaccessible datasets.
By induction, after n similar reallocations we have N - n subjects with access to (X, 1), one each for (X, 2)...(X, n + 1) and XY - (n + 1) inaccessible datasets. In order that all data sets are accessible we require XY = (n + 1) provided, of course, that the number of subjects with access to (X, 1) is at least one, i.e. N - n > 0. Hence we require the smallest value of N such that:
XY = (n + 1) and N - n > 0
N - XY + 1 > 0
which has a minimum when
|
N - XY + 1 = 1 |
i.e. when N = XY. |
|
|
SANITIZED INFORMATION |
Definition 2: |
|
For any object os, |
|
ys = yo |
implies that os contains sanitized information |
ys <> yo |
implies that os contains unsanitized information |
Axiom 5: |
yo <---> xo |
|
|
In other words, if an object bears the security label yo then it must also bear the label xo and vice versa. T2 tells us that all subjects can access this company dataset.
Axiom 6:
Write access to any object ob by any subject su is permitted if and only if N'(u, b) = true and there does not exist any object oa (N'(u, a) = true) which can be read by su for which:
ya <> yb and ya <> yo.
Theorem 4:
The flow of unsanitized information is confined to its own company dataset; sanitized information may however flow freely throughout the system.
Proof:
Let T = {(a, b)|N'(u, a) = true and N'(u, b) = true for some su in S}. We will interpret (a, b) as meaning that information may flow from oa to ob. The reflexive transitive closure T* then defines all possible information flows.
Let B = {(a, b)|(a, b) in OxO and ya <> yb and ya <> yo}. This is the set of all object pairs excluded by A6.
Thus the only possible information flows remaining after the introduction of A6 are given by C = T* minus B:
{(a, b)|not (ya <> yb and ya <> yo)} {(a, b)|not (ya <> yb) or not (ya <> yo)} {(a, b)|(ya = yb) or (ya = yo)}
Hence information may only flow between objects which belong to the same company dataset or originate from the sanitized dataset.
EXTENSION FOR CLARK AND WILSON
We now formally introduce the set P, the set of processes which we may interpret as those programs or sub-programs which a user may use to access whatever objects that the Chinese Wall policy grants him
access to. We let A be a relation of SxP, representing those processes which a user is allowed to execute. Thus:
Axiom 7:
A user, su, may execute a process, pf, if and only if (u, f) is a member of A.
We augment L to include a third attribute, z (i.e. L = {(x, y, z)}, where z is a member of some set Z. Z(oj) is the function which determines the z-component of the security label of a given object oj (zj for short) and introduce PZ to represent the power set of Z. We then associate with each and every process, pf, a member of PZ, determined by the function PZ(pf), or pzf for short. We assert that processes can only access objects whose z-attribute is included in those of the process, i.e.
Axiom 8:
A process pf may only access an object or if
zr subset of pzf.
The access rules are now governed by A2-A4 and A6-A8. In particular an initially secure state exists when no user has ever accessed any object (A3) and the first ever access by any user to any object is entirely unrestrained (A4).
Users may, however, only access that object (say su and or respectively) via some process pf where (u, f) in A and for which zr subset of pzf (A7, A8).
Users may then access some other object or via pf if and only if for all N(u, c) = true:
((u, f) in A) and
(zr subset of pzf) and
((xc <> xr) or (yc = yr))
(A2, A7, A8)
and, finally users may only write information to an object ob provided that access is not prohibited by any of the above rules and that there does not exist any object oa which can be read for which:
ya <> yb and ya <> yo
(A6).
____________